Port 9999 carries traffic for something called "distinct." At least, that is what IANA says. The registration belongs to Anoop Tewari at an email address that no longer resolves to anything. The service description is simply "distinct."1
This is the story of port 9999: a door that someone officially claimed, then seemingly abandoned, leaving it open for anyone to walk through. And walk through they did.
The Edge of Named Space
Port 9999 sits at the boundary. It is the last four-digit palindrome in the port number space. It is also the last port number where every digit is the same. There is something psychologically complete about four nines, a number that in numerology represents the end of a cycle, the moment before everything resets.2
In network terms, 9999 falls within the registered port range (1024-49151), meaning IANA can assign it to specific services.3 Someone did request it, once. A person named Anoop Tewari registered it for both TCP and UDP under the service name "distinct," associated with an email domain (next.distinct.com) that has disappeared from the living Internet.
This is the peculiar fate of many registered ports. The registration persists long after the registrant and their service have faded into digital archaeology. The number remains assigned, but the assignment means nothing. Nature abhors a vacuum, and so does the Internet.
The Tenants Who Moved In
The Abyss
In 2001, a developer named Moez Mahfoudh created a web server. In 2002, a small company called Aprelium Technologies, based in Tunis, Tunisia, released it to the world under the name Abyss Web Server.4 The server needed a port for its administrative console, a web interface where you could configure your server. They chose 9999.
"We created Abyss Web Server as a secure and cost effective solution for businesses and individuals who want to insource their Web sites hosting without losing any sleep over it," said Khaled Smache, CEO of Aprelium Technologies.5
For over two decades, Abyss Web Server has been running on developer machines and small hosting setups around the world. When you install it, the console starts at http://localhost:9999 by default. By 2012, the server celebrated its tenth anniversary, still actively maintained, still binding to port 9999.6
The name "Abyss" is apt for port 9999. When you gaze into this port, many things gaze back.
The Debuggers
Java developers know port 9999 intimately. The Java Debug Wire Protocol (JDWP) allows you to attach a debugger to a running Java Virtual Machine over a network socket.7 You launch your application with flags like -agentlib:jdwp=transport=dt_socket,server=y,address=9999 and suddenly the JVM is listening, waiting for an IDE to connect and step through your code line by line.
Port 9999 is popular for this because it is memorable, because it is unlikely to conflict with anything else, because developers needed a number and four nines felt right. At 3am, when the production system is failing and you need to attach a remote debugger, you type 9999 without thinking. The number is already in your muscle memory.
The Miners
When cryptocurrency mining took off, pools needed ports for miners to connect. The Stratum protocol, designed specifically for mining operations, works over plain TCP sockets with JSON-RPC payloads.8 Nanopool, one of the large Ethereum mining pools, runs its European Stratum server on port 9999.9
Every hash submitted, every share accepted, every tiny fraction of a cryptocurrency block flows through these ports. Port 9999 carries computation converted into currency, electricity transformed into tokens, GPUs running hot while the algorithms grind.
The Developers
On any given day, across millions of developer machines, port 9999 is serving something. Mock APIs for QA teams. WebSocket servers for real-time applications. Local instances of applications under development. Node.js processes. Python scripts. Ruby applications.10
Port 9999 is the developer's scratch pad. It is high enough to avoid conflicts with system services, memorable enough to type without checking notes, and unofficial enough that no one expects it to be occupied. When you need a port and you do not want to think too hard, you type 9999.
The Shadows
Security researchers know port 9999 differently. Multiple malware families have used this port for command and control:
The Prayer, a backdoor trojan, listens on port 9999 to receive commands from attackers.11
rpivot uses port 9999 for reverse proxy tunneling, allowing attackers to pivot through compromised networks.11
DarkComet cryptominer connects to mining pools through port 9999, hijacking system resources for unauthorized cryptocurrency generation.11
In 2014, a vulnerability (CVE-2014-9583) exposed ASUS router users through port 9999, where the infosvr service ran with insufficient authentication.12 Gryphon Tower routers had their own vulnerability: an unauthenticated attacker on the same network could execute commands as root by sending malicious packets to port 9999.13
The same qualities that make port 9999 attractive to developers, its memorability and lack of official assignment, make it attractive to attackers. Security guides consistently recommend blocking incoming connections on port 9999 unless explicitly required.11
How It Works
Port 9999 has no protocol of its own. The "distinct" service that officially claims it left no documentation, no RFC, no specification. This is simultaneously a failure and a freedom.
What runs on port 9999 depends entirely on what you put there. The Abyss Web Server console speaks HTTP or HTTPS. JDWP speaks its own binary protocol. Stratum mining pools speak JSON-RPC over TCP. Malware speaks whatever its authors designed.
The typical pattern:
- An application binds to TCP port 9999 on localhost (127.0.0.1) or all interfaces (0.0.0.0)
- The application listens for incoming connections
- Clients connect and begin whatever protocol the application expects
- The connection persists or terminates based on application logic
There is no handshake defined by port 9999 itself. No required headers. No mandatory authentication. The port is pure potential, a number that grants permission to communicate without prescribing how.
The Philosophy of Unassigned Assignment
Port 9999 teaches us something about the Internet's naming systems. Official assignment does not guarantee use. Lack of assignment does not prevent use. The IANA registry is a coordination mechanism, not a law of physics.
When Anoop Tewari registered "distinct" on port 9999, they carved out a small claim in the namespace. When that service faded, the claim became a fossil, preserved in the registry while the ecosystem evolved around it. Abyss Web Server, JDWP debuggers, cryptocurrency miners, and malware authors all ignored the fossil and used the port anyway.
This is not disorder. This is how living systems work. Formal structures provide coordination, but actual behavior emerges from the needs of the moment. Port 9999 is officially "distinct" and practically "whatever you need it to be."
Security Considerations
If port 9999 is open on your network, ask why.
If you are running Abyss Web Server, the default console configuration restricts access to localhost and LAN. Remote access is disabled by default.14 This is wise. The console can configure your web server; exposing it to the Internet is exposing your configuration.
If you are running a JDWP debugger, understand that JDWP has no authentication or encryption by design.7 Exposing a JDWP port to the network is exposing your application to remote code execution. Debug ports belong on localhost, behind firewalls, with access controls.
If you see unexpected traffic on port 9999, investigate. The port's popularity with both legitimate tools and malware means an open 9999 is ambiguous. It could be a developer's test server. It could be a backdoor. You will not know until you look.
If you are choosing a port for your development server, port 9999 is fine for local work. But understand that you are sharing a number with a diverse population of software, some of it benevolent, some of it not.
Related Ports
Port 8080: The unofficial HTTP alternate port, often used for proxies and development servers. Shares the "high numbered, easy to remember" quality of 9999.
Port 8000: Python's SimpleHTTPServer default, Django's development server default. Another developer favorite in the same neighborhood.
Port 3000: Node.js applications, React development servers, Rails default. The modern developer's home base.
Port 5000: Flask's default, common for Python web development.
Port 8888: Jupyter Notebook's default. Another repeating-digit port favored by developers for its memorability.
Port 10000: The next round number after 9999, used by Webmin and other administration tools.
Frequently Asked Questions
Was this page helpful?